Clusters

This article details data model clusters, default clusters, and how to create and modify clusters.

What are clusters?

Brinqa aggregates, consolidates, and enriches data from various external data sources, and maps them to the corresponding data models. There are basic filters, such as compliance status, targets, CVE IDs, and more, to facilitate searching and grouping your data after being collected. But if you want to classify your data further, Brinqa also provides a feature called clusters, where you can add your own grouping based on the characteristics of your data.

Clustering is a method of grouping similar items together based on their attributes or characteristics, similar to tagging. However, clustering is an automated process that occurs after your data has been imported into Brinqa and consolidated, while tagging is a process where you must assign tags or labels to individual items before your data is imported into Brinqa. Once tags have been assigned, they can be used to organize and group items.

In the Brinqa Platform, you can use clusters to group assets, findings, or users based on your criteria specified in a query. As your data changes, clusters continue to update and apply, ensuring that grouping remains accurate and relevant over time. To help get you started with clusters, there are a few tutorials available:

• Group assets based on their environment
• Group assets based on their device type
• Create an ownership cluster to grant access control

Default clusters types

Brinqa Platform comes with some built-in clusters to ensure that data orchestration and reporting work consistently. The default cluster types and their supported data models are as follows:

Assets

• Environments: The environment where an asset belongs, such as internally, externally, or at a corporate office.

• Profiles: The business profile where an asset belongs, such as a developer's workstation or an Office Internet of Things (IoT).

• Technologies: The technologies that an asset utilizes, such as AWS (Amazon Web Services), Azure, GCP (Google Cloud Platform), or Windows.

• Types: The category that classifies the asset, such as laptops, servers, phones, tablets, or mainframes.

  All Asset cluster types cover the following data models: Account, Application, Certification, Code project, Code repository, Container, Container image, Device, Host, Host image, IP range, Network segment, Package, Person, Service, Site, Site certificate, and Subnet.

Finding definitions

• Affected technologies: The technologies that are affected by a finding, such as Azure or Kubernetes.

• Profiles: The business profile where a finding belongs, such as your 2023 target findings, OWASP (Open Worldwide Application Security Project), or CISA (Cybersecurity & Infrastructure Security Agency).

• Types: The category that classifies the finding, such as information exposure or XSS (Cross-Site Scripting).

  All Finding definition cluster types cover the following data models: Dynamic code finding definition, Manual finding definition, Open source finding definition, Pentest finding definition, Static code finding definition, Violation definition, and Vulnerability definition.

Ownership

• Risk owners: The owner or owner group that manages the risk of a finding, such as the IT Security team responsible for addressing and remediating vulnerabilities, the cloud security team in charge of managing risks associated with your cloud infrastructure and services, or a third-party risk management team.

• Remediation owners: The owner group that is responsible for mitigating the risk of a finding, such as patching teams, product developers, or DevOps.

  All Ownership cluster types cover the following data models: Account, Application, Certification, Code project, Code repository, Container, Container image, Device, Dynamic code finding, Finding, Host, Host image, Installed package, IP range, Manual finding, Network segment, Open source finding, Package, Pentest finding, Person, Service, Site, Site certificate, Static code finding, Subnet, Violation, and Vulnerability.

Create a new cluster

Users with the Configurator or System Administrator role can create new clusters to group data as desired. To create new clusters, follow these steps:

1. Navigate to Clusters and click the cluster type you want to create.

2. Click Create and fill in the fields below:

   • Name: The name of the cluster.

   • Active: Whether the cluster is active or not. This field is selected by default.

   • Default: Whether the cluster is a default cluster or not.

   • Description: The description of the cluster.

   • Conditions: Click + to add cluster criteria for each data model. You can create a cluster that applies to multiple data models.

     • Target data model: Click the drop-down and type or select the data model to which the cluster applies.

       caution

       Avoid selecting a parent data model (such as Asset, Finding, or Ticket) as the target. For example, instead of Asset, select a data model that extends Asset, such as Account, Host, Cloud Resource, and so on. This is because parent data models are not computed during consolidation and choosing a parent data model can result in inaccurate or empty counts in the cluster.

     • Active: Indicate whether the condition is active. This field is selected by default.

     • Condition: Specify the condition to group your data. The supported syntax is Brinqa Condition Language (BCL). For example: firstFound EXISTS or status = "Active".

     • Test condition: Click Test condition to see the results retrieved by the condition. This ensures that your cluster groups the expected data.

   Click + to add additional conditions to the cluster.

3. Click Create.

Repeat these steps for each cluster you want to create.

Apply clusters

Your new cluster applies when the data orchestration runs. However, if you want the new cluster to go into effect immediately, follow these steps:

1. Navigate to Administration > Data > Models.

2. Navigate to each data model you've selected as the target data model, and click Flows.

3. Click the compute flow for your data model. For example, if you have specified a condition for the Host data model in your cluster, click Host compute flow.

4. Click Launch, and then click Launch again in the confirmation dialog.

5. Repeat steps 2-4 for each target data model you've selected during the cluster creation process.

6. Navigate to the data model page of the cluster type you've added. For example, if you've created a new environment cluster, navigate to the Environment data model page and click Flows.

7. Click Environment compute flow, then Launch, and then click Launch again in the confirmation dialog.

   This step updates the total number of your data that is grouped into the new cluster.

If you see inaccurate or outdated counts for the new cluster, you might need to clear the cache. Only System Administrators can clear caches. To do so, follow these steps:

1. Navigate to Administration > System > Advanced.

2. Select BQL Count cache and BQL Query cache.

   BQL Count cache is for charts and BQL query cache is for tables and list views.

3. Click Clear data.

View and manage clusters

Users with the Configurator or System Administrator role can view, manage, or or add conditions for other data models to existing clusters. To do so, follow these steps:

1. Navigate to Clusters. Your clusters display in a list view.

2. Hold your pointer over the cluster you want to edit or examine, and click Edit.

3. Modify the fields as needed or add conditions for other data models.

4. Click Update.

Tutorial: Group assets based on their environment

This tutorial demonstrates how you can create a new cluster to group your assets that reside in a development environment. Clustering your assets by their environment can be useful for a few reasons:

• Risk exposure: Development environments may be less secure than production environments and may have more exploitable vulnerabilities or weaknesses. By identifying assets that are in development versus production, you can better understand your overall risk exposure and prioritize remediation efforts accordingly.

• Compliance requirements: Many compliance frameworks require organizations to maintain strict separation between development and production environments and have different security controls in place for each environment. By identifying assets in each environment, you can ensure that you are meeting those compliance requirements.

• Change management: Development and production environments often have different change management processes and requirements. By identifying assets in each environment, you can take steps to ensure that you are following the appropriate processes and procedures when making changes to those assets.

note

The syntax and steps described in this tutorial may vary from how your organization tags assets based on the specific environment.

To cluster your assets by their working environment, follow these steps:

1. Navigate to Clusters > Assets > Environments.

2. Click Create and fill in the fields as shown below:

   • Name: Type "Development Environment Assets".

   • Active: Keep as is. Active is selected by default.

   • Default: Keep as is. Default is not selected by default.

   • Description: Type "Assets in the development environment".

   • Conditions: Click + and specify the clustering criteria.

     • Target data model: Select or type Host.

     • Active: Keep as is. Active is selected by default.

     • Condition: Enter tags Contains "Development". This condition ensures that the hosts are grouped by those tagged as in a development environment.

       • You can do the same for hosts in different environments by replacing Development with a different environment tag, such as Production, Testing, or Staging, depending on how you tag your assets.

       Click Test condition to see the results retrieved by the condition.

   • Click + and add the same condition for any other data models that extend Asset and support tags that you want to group in this cluster, such as applications, devices, subnets, or containers. This ensures that the cluster also includes any additional assets in the development environment.

3. Click Create. The page reloads and the new environment cluster displays on the Environment clusters page.

4. Navigate to Administration > Data > Models.

5. Navigate to the Host data model page and click Flows.

6. Click Host compute flow, then Launch, and then click Launch again in the confirmation dialog. This starts the actions needed to group the Host data specified in the condition. Wait for the flow to run successfully.

   • Repeat steps 5 and 6 (launch compute flow) for each individual data model specified in the condition.

7. Navigate to the Environment data model and click Flows.

8. Click Environment compute flow, then Launch, and then click Launch again in the confirmation dialog.

   note

   Your clusters also apply once a day through data orchestration.

9. Navigate to Inventory > All assets.

10. Click the Environments filter and select Development Environment Assets. You can also type the following BQL query to view the clustered assets: FIND Asset AS a THAT WITHIN Environment as e where e.displayName = "Development Environment Assets"

    • If you use the filters, you may need to click More and select Environments for the Environments filter to display. You may also need to click Column and select Environments for the Environments column to display in the list view.

11. Click Apply.

The Hosts list view refreshes and only displays the hosts with the specified environment. Click an entry in the list view and under the Tags section in the slide-out view, you should see Development. This provides additional confirmation that the host was successfully grouped as part of the "Development Environment Assets" cluster.

Another way you can confirm the hosts have been successfully grouped is to navigate to Clusters > Assets > Environments and compare the value in the Total column with the value that displays in the list view when you apply the Development Environment Asset filter. If the cluster is functioning as intended, the values should match.

Tutorial: Group assets based on their device type

This tutorial demonstrates how you can create a new cluster to group your assets based on the asset type. Asset types can include, but are not limited to, laptops, virtual machines, desktops, servers, software, tablets, phones, or printers. Clustering your assets by their type can be useful for a few reasons:

• Enhanced visibility and control: By grouping assets by their type, you can gain a better understanding of the distribution and usage of your assets across your organization. This enhanced visibility can help you identify potential security risks, track asset ownership, and manage your assets more effectively.

• Efficient resource allocation: Clustering your devices can help you allocate resources more efficiently by identifying groups of assets that require similar treatment or remediation. For example, if a cluster of laptops is found to have a common vulnerability, you can prioritize the remediation efforts for that specific cluster rather than addressing each laptop individually.

• Improved risk management: By grouping assets by their type, you can identify clusters of assets that are more critical to your business operations or that require additional protection due to their sensitivity or value.

To cluster your assets based on the device type, follow these steps:

1. Navigate to Clusters > Assets > Types.

2. Click Create and fill in the fields as shown below:

   • Name: Type "Apple iPhones". This specific cluster groups all company issued Apple iPhones together.

   • Active: Keep as is. Active is selected by default.

   • Default: Keep as is. Default is not selected by default.

   • Description: Type "All company issued Apple iPhones".

   • Conditions: Click + and specify the clustering criteria.

     • Target data model: Select or type Device.

     • Active: Keep as is. Active is selected by default.

     • Condition: Enter name CONTAINS "iPhone". This condition ensures that all company issued iPhones are grouped together in the cluster. The specific syntax and condition may vary depending on the manufacturer or model of the phone your organization issues to employees. For example, if your company uses Android phones, the syntax may be name CONTAINS "Android".

       • You can follow the same condition syntax for any device you want to group in a cluster. For example, if you want to group all Macbook laptops, the condition might be name CONTAINS "Macbook" or if you want to group all company issued iPads together, the condition may be name CONTAINS "iPad".

       Click Test condition to see the results retrieved by the condition.

3. Click Create. The page reloads and the new asset type cluster displays on the Asset types clusters page.

4. Navigate to Administration > Data > Models.

5. Navigate to the Device data model page and click Flows.

6. Click Device compute flow, then Launch, and then click Launch again in the confirmation dialog. This starts the actions needed to group the Device data specified in the condition. Wait for the flow to run successfully.

   • Repeat steps 5 and 6 (launch compute flow) for each individual data model specified in the condition.

7. Navigate to the Asset type data model and click Flows.

8. Click Asset type compute flow, then Launch, and then click Launch again in the confirmation dialog.

9. Navigate to Inventory > All assets.

10. Click the Type filter and select Apple iPhones.

    • If you use the filters, you may need to click More and select Type for the Type filter to display. You may also need to click Column and select Type for the Type column to display in the list view.

11. Click Apply.

The Assets list view refreshes and only displays the devices with the specified asset type. Click an entry in the list view and under the Clusters section in the slide-out view, you should see Type > Apple iPhones. This provides additional confirmation that the device was successfully grouped as part of the "Apple iPhones" cluster.

Another way you can confirm the devices have been successfully grouped is to navigate to Clusters > Assets > Types and compare the value in the Total column with the value that displays in the list view when you apply the Apple iPhones asset type filter. If the cluster is functioning as intended, the values should match.

You can also view the clustered data in a graph. To do so, navigate to Explorer and type the following BQL query:

FIND Asset AS a THAT IS AssetType AS at WHERE at.displayName = "Apple iPhones"

Similar to the list view, click one of the Apple iPhone entries on the graph to view specific device information, including the connector that the device was sourced from, risk details, when the device was first seen, last seen, and more.

Tutorial: Create an ownership cluster to grant access control

The purpose of the ownership clusters within the Brinqa Platform is to provide access control to the data sets. For example, you can give users permission to access certain assets, findings, or both through the ownership clusters. You can create a new Risk owners cluster or Remediation owners cluster, or use the built-in clusters. In both cases, the user must have the Risk analyst role assigned and you must add the designated user as a member to the relevant cluster.

Users with the Configurator or System Administrator role can create or edit clusters. To create a new risk owner cluster, follow these steps:

1. Navigate to Clusters and click Risk owners.

2. Click Create and fill in the following fields:

   • Name: Enter a name for the cluster.

   • Description: Provide a description for the cluster.

   • Members: Select the user or users to be members of the cluster, who will have access to the data sets defined by the conditions. This user must have the Risk analyst role.

   • Conditions: Click + to add criteria for each data model. At the minimum, risk owners should have access to a set of hosts and vulnerabilities.

     • Target data model: Click the drop-down and select Host.

     • Order: Specify the condition evaluation order for the target data model.

       This field is important because it signifies the order that the Brinqa Platform follows to evaluate the conditions specified in this cluster and other clusters defined for the same data set. The evaluation stops after a match is found, ensuring that each record is subject to only one ownership cluster. Therefore, it is logical to prioritize the most specific conditions first.

     • Condition: Specify the condition to define the hosts you want this cluster to view. The supported syntax is Brinqa Condition Language(BCL).

       For example, if the os CONTAINS "Windows" condition is met, users in this cluster can view hosts running the Windows operating system.

     • Click Test condition to see the results retrieved by the condition. This ensures that your cluster groups the expected hosts.

   • Click + to add a condition for Vulnerability.

     • Target data model: Click the drop-down and select Vulnerability.

     • Order: Specify the condition evaluation order for the target data model.

     • Condition: Specify the condition to define the vulnerabilities you want this cluster to view.

       For example, if the targets.os CONTAINS "Windows" condition is met, users in this cluster can view vulnerabilities detected on machines running the Windows operating system.

     • Click Test condition to see the results retrieved by the condition. This ensures that your cluster groups the expected vulnerabilities.

3. Click Create.

If needed, repeat the steps to create a new cluster in Clusters > Remediation owners.

Clusters are synced through data computation. However, if you want the new clusters to go into effect immediately, follow these steps:

1. Navigate to Administration > Data > Models.

2. Locate the data model that you have defined in the cluster. For example, Host or Vulnerability.

3. Click Flows.

4. Click the compute flow of your data model. For example, for the Host data model, click Host compute flow.

5. Click Launch, and then click Launch again in the confirmation dialog.

6. Repeat the steps for all the data models defined in your clusters.

7. Navigate to the Risk owner or Remediation owner data model and click Flows.

8. Click Risk owner compute flow or Remediation owner compute flow, then Launch, and then click Launch again in the confirmation dialog.

After the flows have run successfully, navigate to Clusters > Risk owners or Clusters > Remediation owners and click the cluster that you have created. Verify that the data sets defined by the conditions are viewable in the cluster. Alternatively, log in as a member of your clusters and verify that they can view the selected data sets.